National University Corporation Tsukuba University
BIG-IP Deployed with Renewal of Campus Information NetworkConsolidation of Border Firewalls for External Access Routes into a Single UnitExpectations for Protection Against DDoS Attacks and DNS Attacks
The University of Tsukuba, a national university corporation, has been operating its campus network for 30 years since the dawn of the Internet. With the renewal of the campus information network in August 2015, BIG-IP7200v was installed in the access route from the outside. The perimeter firewall, which previously distributed the load among multiple devices, has been consolidated into a single firewall to improve manageability and processing capacity. It is also expected to enable more advanced countermeasures against DDoS attacks, which have been increasing rapidly in recent years, and to respond to attacks targeting the DNS.
Business Challenge
The University of Tsukuba is a comprehensive university that offers an unparalleled breadth of academic disciplines. Its information network has been in operation since the early days of the internet. When the university transitioned to the status of a National University Corporation in 2004, it adopted a leasing system for its equipment, with replacements subsequently scheduled approximately every six years. The most recent replacement took place in August 2015, with the launch of new network services in September of the same year.
“One of the major challenges during this replacement was centralizing operational management and improving security,” explains Dr. Satoshi Sato, Associate Professor at the Network Research and Development Division, Academic Center for Computing and Media Studies, Organization for Information Environment, University of Tsukuba.
Since the network’s initial deployment, the university's management structure has relied on departmental autonomy, with each faculty and organizational unit appointing its own network managers. However, after around 30 years of operation, the university is now facing a transitional period, as retirements from network management roles have created numerous instances where knowledge transfer is imperative. Dr. Sato highlights the risks associated with this:
“If the individuals inheriting these responsibilities lack adequate knowledge of the network, unexpected failures are likely to occur. From a security standpoint, this could also result in potentially vulnerable networks.”
In addition, Dr. Sato points out another growing challenge: the increasing frequency of DoS and DDoS attacks.
Another issue is the fragmentation of the university's internal network into multiple domains, with DNS servers scattered across the ecosystem. Dr. Sato warns of potential security threats stemming from this structure.
“Recently, we have seen an increase in attacks targeting DNS servers. If there are DNS servers within the network that are outdated and not properly maintained, they are at a significantly higher risk of becoming the target of such attacks,” he explains.
Solutions
To address these challenges, the 2015 equipment update in August began with reorganizing the network segments. The previously fragmented segments, which were managed separately by each faculty and department, are now in the process of being restructured into functional segments, such as server segments and client segments. This restructuring is creating a network environment where even the limited staff at the Academic Center for Computing and Media Studies can effectively manage the network down to its endpoints. These functions are now consolidated onto a single BIG-IP device.
In addition, to guard against external attacks, a high-performance DDoS protection-enabled BIG-IP has been deployed along the access routes from the internet (SINET5). This ensures proactive measures are in place to mitigate attacks from external sources.
The migration to SINET5 was scheduled to take place in April 2016.
- Consolidating the previous equipment configuration, which consisted of two firewalls and a load balancer, into a single BIG-IP device has improved manageability.
- With BIG-IP ASM (Advanced Security Module), application-level protection against DDoS attacks is now possible.
- By utilizing the DNS proxy functionality to separate external resolvers, ensuring DNS security has also become easier.
- Improving the manageability of firewalls.
- Implementing more advanced measures to counter the rapidly increasing DDoS attacks.
- Addressing attacks targeting the scattered DNS servers within the campus network.